The goal here is to create a local mirror of the upstream OSTree repository.
Log into a shell on the host, and run the tools container. This isn't
strictly necessary right now as we could use the host's ostree binary
too, but in the future the tools container might contain more scripts
for things like this. Once we're inside the tools container, we make
an unprivileged user, as general best practice. It also shows that
OSTree is perfectly happy to mirror/manipulate content as non-root.
# atomic run rhel7/rhel-tools
# adduser container
While we're still root, grab the entitlement certs and chown
them to the unprivileged container user.
# cd ~container
# cp /host/etc/pki/entitlement/*.pem .
# chown container: *.pem
# runuser -u container bash
From here, we run unprivileged. We use /host/var/tmp/repo
so the data is outside of the container. This could be
a remote mount point to Ceph/etc.
Then, stick the entitlement certs inside the repo directory (they could be elsewhere, this is just an example).
$ cd /host/var/tmp
$ mkdir repo && ostree --repo=repo init --mode=archive-z2
$ mv ~/*.pem repo/
Next, we copy the remote configuration from the host into this repo:
cat /host/etc/ostree/remotes.d/redhat.conf >> repo/config
Now, edit repo/config and change the tls-client-* variables
to look like the below. We're telling the command where to find
the client certificates necessary to access the CDN.
tls-client-cert-path = ./repo/123451234512345.pem
tls-client-key-path = ./repo/123451234512345-key.pem
Finally, now that we're all set up, this command will incrementally mirror all of the content. You can run it out of a cron job/systemd timer etc.
$ ostree --repo=repo pull --mirror rhel-atomic-host-ostree
For client machines, change /etc/ostree/remotes.d/redhat.conf
to point to a static webserver which is exporting the repo directory.